Hi Rachana
Thanks for your answer.
On Aug 8, 2007, at 4:59 PM, Rachana Ananthakrishnan wrote:
I see that the DN in question is a host DN and I wouldn't expect
you to map that in the gridmap. Sorry, missed that when I read the
email before.
Typically only the client DN, which is a user DN, is set in the
gridmap. Looking at your logs, it seems like the client is
accessing some service Foo, which in turn invokes "GramJob". Is
that correct ? You seem to be delegating the credentials of service
Foo to the delegation service.
Yes I am using a service to invokes the GramJob.
When the client calls service Foo, using the settings in your port
type, you will have the client's delegated credentials at the end
of the invocation. You should use that for all other operations, if
you require that "GramJob" calls use the client's credential. To do
that, in your service security descriptor, set GSI Secure
conversation as the required method and run-as to be caller-
identity. This will ensure that the delegated credentials will be
set as the credentials associated with the thread and the
subsequent invocations from the thread will use the client's
delegated credentials.
Alternatively, you can use delegation service to delegate client
credentials to and then use that from your service. http://
www.globus.org/toolkit/docs/4.0/security/delegation/
If you indeed want to delegate host credentials, then you will need
to add a girdmap entry with the host DN. But I am not sure I
understand why you would want to do that.
WS GRAM and the multi job option, that takes a request for
submitting jobs for a user and sub,its it on behalf of the user to
a configured GRAM service is available as part of the Globus
Toolkit. http://www.globus.org/toolkit/docs/4.0/execution/wsgram/
Is your requirement different from what that service fulfills ?
Rachana
My client and the Server side code is look like this:
Client:
_____________________________
try{
msgContext.getCurrentContext();
manager = (ExtendedGSSManager)
ExtendedGSSManager.getInstance();
cred = manager.createCredential
(GSSCredential.INITIATE_AND_ACCEPT);
userGlobusCred = ((GlobusGSSCredentialImpl)
cred).getGlobusCredential();
iA = new IdentityAuthorization
(userGlobusCred.getIdentity());
delegFactoryEndpoint =
DelegationServiceEndpoint.getInstance().getDelegationServiceEndpoint();
delegFactory =
delegfactoryLocator.getDelegationFactoryPortTypePort
(delegFactoryEndpoint);
iiA = new HostAuthorization();
secDesc =new ClientSecurityDescriptor();
secDesc.setGSITransport(Constants.ENCRYPTION);
secDesc.setAuthz(iiA);
secDesc.setDelegation
(GSIConstants.GSI_MODE_FULL_DELEG);
secDesc.setGSSCredential(cred);
}catch(Exception e){System.out.println
("Error1: "+e);}
///////////////////////////
try{
//((Stub) problemsolverFactory)._setProperty
(Constants.CLIENT_DESCRIPTOR,secDesc);
((Stub) delegFactory)._setProperty
(Constants.CLIENT_DESCRIPTOR,secDesc);
certToSign =
DelegationUtil.getCertificateChainRP( delegFactoryEndpoint, secDesc)
[0]; //first element in the returned array
credentialEndpoint = DelegationUtil.delegate(
delegFactoryurl, //String
userGlobusCred, //GlobusCredential
certToSign, //X509Certificate
lifetime, //int (seconds)
true, //boolean
secDesc); //
ClientSecurityDescriptor
}catch (Exception e){System.out.println
("Error2:"+e);}
_____________________________
Service side code:
______________________________
MessageContext messageContext = MessageContext.getCurrentContext();
Subject subject = (Subject)
messageContext.getProperty(Constants.PEER_SUBJECT);
System.out.println("Subject: "+subject.toString());
if (subject != null) {
cred = JaasGssUtil.getCredential(subject);
}
______________________________
Do I have to do any thing else? or is this implementation is not
complete? or do I have to see some parameters in configuration file.
Thanks
Salman Toor
From: Rachana Ananthakrishnan [mailto:[EMAIL PROTECTED]
Sent: Wednesday, August 08, 2007 8:46 AM
To: 'Salman Zubair Toor'; 'gt-user'
Cc: 'Johan Tordsson'; 'P-O Östberg'
Subject: RE: [gt-user] Exception while delegating user credentials....
Yes, the DN of the client should be added to the gridmap file
configured for the services, so that they can be authorized.
Rachana
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Salman Zubair Toor
Sent: Sunday, August 05, 2007 9:44 AM
To: gt-user
Cc: Johan Tordsson; P-O Östberg
Subject: [gt-user] Exception while delegating user credentials....
Hi all,
I want to delegate the user credentials to the service so that
service can submit the jobs on behalf of user but I get Error:
Client Site code:
_______________________________
..........
ExtendedGSSManager manager = (ExtendedGSSManager)
ExtendedGSSManager.getInstance();
cred = manager.createCredential(GSSCredential.INITIATE_AND_ACCEPT);
GlobusCredential userGlobusCred = ((GlobusGSSCredentialImpl)
cred).getGlobusCredential();
iA = new IdentityAuthorization(userGlobusCred.getIdentity());
}catch (Exception e){System.out.println("Eror: "+e);}
try{
((Stub) port )._setProperty(Constants.GSI_SEC_CONV,
Constants.ENCRYPTION);
((Stub) port)._setProperty(Constants.AUTHORIZATION,iA);
((Stub) port)._setProperty(GSIConstants.GSI_MODE,
GSIConstants.GSI_MODE_FULL_DELEG);
(Stub) port)._setProperty(GSIConstants.GSI_CREDENTIALS, cred);
.........
_______________________________
Service Side code :
_______________________________
Subject subject = JaasSubject.getCurrentSubject();
if (subject != null) {
cred = JaasGssUtil.getCredential(subject);
}
_______________________________
It delivers the credentials but throws this Exception.
Submission ID: uuid:59a6f3e0-435f-11dc-896a-81489780028d
2007-08-05 16:22:51,934 INFO client.GramJob
[ServiceThread-11,submit:415] <startTime
name="submission">1186323771934</startTime>
2007-08-05 16:22:51,941 INFO client.GramJob
[ServiceThread-11,fetchDelegationFactoryEndpoints:645] <startTime
name="fetchDelegFactoryEndoints">1186323771941</startTime>
2007-08-05 16:22:52,272 INFO client.GramJob
[ServiceThread-11,fetchDelegationFactoryEndpoints:652] <endTime
name="fetchDelegFactoryEndoints">1186323772272</endTime>
2007-08-05 16:22:52,273 INFO client.GramJob
[ServiceThread-11,delegate:730] <startTime
name="fetchDelegCertChainRP">1186323772273</startTime>
2007-08-05 16:22:52,397 INFO client.GramJob
[ServiceThread-11,delegate:739] <endTime
name="fetchDelegCertChainRP">1186323772397</endTime>
2007-08-05 16:22:52,398 INFO client.GramJob
[ServiceThread-11,delegate:764] <startTime
name="delegate">1186323772398</startTime>
2007-08-05 16:22:52,521 WARN authorization.GridMapAuthorization
[ServiceThread-10,isPermitted:158] Gridmap authorization failed:
peer "/O=Grid/O=NorduGrid/CN=host/styx.uppmax.uu.se" not in gridmap
file.
2007-08-05 16:22:52,521 WARN
authorization.ServiceAuthorizationChain [ServiceThread-10,authorize:
292] "/O=Grid/O=NorduGrid/CN=host/styx.uppmax.uu.se" is not
authorized to use operation: {http://www.globus.org/08/2004/
delegationService}requestSecurityToken on this service
2007-08-05 16:22:52,530 ERROR delegation.DelegationUtil
[ServiceThread-11,delegate:440]
org.globus.wsrf.impl.security.authorization.exceptions.AuthorizationEx
ception: "/O=Grid/O=NorduGrid/CN=host/styx.uppmax.uu.se" is not
authorized to use operation: {http://www.globus.org/08/2004/
delegationService}requestSecurityToken on this service
java.io.IOException: Job request error:
org.globus.delegation.DelegationException: [Caused by:
org.globus.wsrf.impl.security.authorization.exceptions.AuthorizationEx
ception: "/O=Grid/O=NorduGrid/CN=host/styx.uppmax.uu.se" is not
authorized to use operation: {http://www.globus.org/08/2004/
delegationService}requestSecurityToken on this service]
at
org.globus.services.core.problemsolver.impl.ProblemSolverGRAMClient.pr
ocessJob(ProblemSolverGRAMClient.java:334)
at
org.globus.services.core.problemsolver.impl.ProblemSolverGRAMClient.su
bmitRSL(ProblemSolverGRAMClient.java:230)
at
org.globus.services.core.problemsolver.impl.ProblemSolverGRAMClient.mu
ltiJobSubmission(ProblemSolverGRAMClient.java:498)
at
org.globus.services.core.problemsolver.impl.SolverJobSubmission.multiJ
obProcessing(ProblemSolverService.java:243)
at
org.globus.services.core.problemsolver.impl.ProblemSolverService.solve
rJobSubmission(ProblemSolverService.java:184)
at
org.globus.services.core.problemsolver.impl.ProblemSolverService.findR
esource(ProblemSolverService.java:174)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke
(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke
(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:324)
at org.apache.axis.providers.java.RPCProvider.invokeMethod
(RPCProvider.java:384)
at org.globus.axis.providers.RPCProvider.invokeMethodSub
(RPCProvider.java:107)
at org.globus.axis.providers.PrivilegedInvokeMethodAction.run
(PrivilegedInvokeMethodAction.java:42)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:379)
at org.globus.gsi.jaas.GlobusSubject.runAs(GlobusSubject.java:55)
at org.globus.gsi.jaas.JaasSubject.doAs(JaasSubject.java:90)
at org.globus.axis.providers.RPCProvider.invokeMethod
(RPCProvider.java:97)
at org.apache.axis.providers.java.RPCProvider.processMessage
(RPCProvider.java:281)
at org.apache.axis.providers.java.JavaProvider.invoke
(JavaProvider.java:319)
at org.apache.axis.strategies.InvocationStrategy.visit
(InvocationStrategy.java:32)
at org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118)
at org.apache.axis.SimpleChain.invoke(SimpleChain.java:83)
at org.apache.axis.handlers.soap.SOAPService.invoke
(SOAPService.java:450)
at org.apache.axis.server.AxisServer.invoke(AxisServer.java:285)
at org.globus.wsrf.container.ServiceThread.doPost
(ServiceThread.java:664)
at org.globus.wsrf.container.ServiceThread.process
(ServiceThread.java:382)
at org.globus.wsrf.container.GSIServiceThread.process
(GSIServiceThread.java:147)
at org.globus.wsrf.container.ServiceThread.run(ServiceThread.java:291)
Anybody can guide me what exactly is wrong in this code. Should I
enter "/O=Grid/O=NorduGrid/CN=host/styx.uppmax.uu.se" in gridmap-file.
Thanks.
Salman Toor.
